On 2011/07/05 9:08 AM, Ron Gula wrote: > On 7/2/2011 11:41 AM, Michael Lubinski wrote: >> Read: >> http://blog.zeltser.com/post/6479619232/protean-information-security-architecture >> >> Knowing this list has a significant amount of pen testers and such, what >> say you? >> >> > > I really like the emotion behind this concept, but don't like this for > practical reasons. [..] > I don't mind at all having fake targets on the inside of your network, > but the idea of constantly reconfiguring the data structures and servers > as a method to thwart pen testers is no substitute for patching, tight > inbound/outbound ACLs, network monitoring and log analysis.
My first thought was "it must be nice to have the kind of free time after doing. . ." everything you say, and more, including convincing sysadmins that yes, the firewall really is there to help you and yes, you really do need to figure out precisely how that workstation got popped and writing documentation and helping others to do the same and responding (or actively ignoring) RIAA/MPAA complaints and figuring out if the lack of IDS logs is because of a NIC failure, driver bug, OS bug, disk failure, something else, going to meetings with your co-workers or management... all the other stuff blue-team IT types do on a daily basis. Or would, if they had 48 hour days. And THEN, when you DO have that kind of time, you get to spend MORE time ensuring that your new honeypots don't actually become a vulnerability themselves. While you convince management that they're necessary, and try to assuage the fears of NOC monkeys, and... OK, yeah, confusing the attacker's well and good, but unless you've got all the other ducks in a row, you might be finding the root of all evil - premature optimisation. Lenny's idea is nice in theory, but in practise, I think it belongs near the bottom of the priority list. Mike _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
